Android mobile malware samples have increased more than five-fold since July alone, according to a study by Juniper Networks.
The ability of anyone to develop and publish an application to the Android Market – in contrast to the more restrictive model applied by Apple for iOS – is at least partly to blame for the huge increase …

"no one checking to see that your application does what it says"

Lecture time

1) While occasionally malware has made it into the Android Market, the vast majority of such malware comes from alternate markets and stand-alone APK files distributed by various Web sites.

2) If malware has been installed on the user's phone from the Android Market, Google has the capability to remove it from there without requiring the consent of the said user. Remove it from the user's phone, I mean - not just from the Android Market. However, this capability is not present, if the malware has been installed from alternate sources.

3) Lookout is exaggerating a bit, IMHO. The known variants of Android malware are about half of what they state. 400+ - not 1000.

4) It is most definitely not true that the Android applications store model "lacks signing". Just the opposite - every app must be signed, or it cannot be installed on a non-rooted device. The problems are elsewhere: (a) the apps are signed by their producer, not by Google (for comparison, the iPhone apps are signed by Apple) and (b) there is no review process. Arguably, the app access rights model is also flawed. It relies on the user being able to decide whether to install an app that requires specific rights. Most people don't even understand what these rights mean and just allow them. In addition, there is no way of granting only some of the requested rights to the app and later granting more rights or revoking some, if necessary.

@Nergatron

Far fetched

The comparison to Windows is just a bit far-fetched. Getting malware on your phone happens if and only if you acknowledge and specifically download & install a malicious app. It's not the simple fact that malicious apps get on the Market and it's nothing like going on the same site you've been using for years only to get you system hijacked with the help of an iframe where some malicious JS was injected.

Still, it wouldn't hurt if Google would establish a reviweing process. Whether it involves approving apps or simply testing apps as they are added, it would still help. Or even better, it opens up a market for third-party app auditors.

I expect Google will eventually recognize the

money making opportunity of a "Google Approved Android App" cert, which is available only at the Android Market place. And it leaves open the possibility of third party apps which aren't certified, but installed at your own risk.

Permissions

Android's permissions system could be improved - made more fine-grained and have the user able to decline specific permissions before install for example - but it's good enough to prevent most malware being installed. Spyware which has a legitimate use might not be detectable, but most things are. Here's something like what people are shown when they download malware:

Welcome to Android Market. You have chosen to install "Talking Hamster". It requires the following permissions:

Or as the article says they could use one of the vulnerabilities in Android to bypass this completely

"In the early spring, we began seeing Android malware that was capable of leveraging one of several platform vulnerabilities that allowed malware to gain root access on the device, in the background, and then install additional packages to the device to extend the functionality of the malware.

Today, just about every piece of malware that is released contains this capability, simply because the vulnerabilities remain prevalent in nearly 90 per cent of Android devices being carried around today. Attackers know this, and they’re using it to gain privilege escalation on the device in order to gain access to data and services that wouldn’t otherwise be available."